使用CORS预检OPTIONS请求的Ajax防伪POST(302重定向)
[英]Ajax anti-forgery POST with CORS preflight OPTIONS request (302 redirect)
问题描述
I recently updated a site I'm working on to check for anti-forgery tokens on all POST requests. 
我最近更新了一个我正在努力检查所有POST请求上的防伪令牌的网站。 For ajax requests I have put a prefilter on to check for the anti forgery token and add it to the headers 对于ajax请求,我已经安装了一个prefilter来检查防伪标记并将其添加到标头中
$.ajaxPrefilter(function (options, localOptions, jqXHR) {
if (options.type == "POST") {
var token = GetAntiForgeryToken();
jqXHR.setRequestHeader(token.name, token.value);
}
});
The site also has admin tools when logged in as an admin that uses CORS to send data to the separate admin site. 当以管理员身份登录时,该站点还具有管理工具,该管理员使用CORS将数据发送到单独的管理站点。 One of these tools is an AJAX post request. 其中一个工具是AJAX发布请求。 The header is added to the request and it works correctly. 标头添加到请求中,它可以正常工作。
The other tool is a GET request which returns a form, which is displayed in a dialog. 另一个工具是GET请求,它返回一个表单,该表单显示在对话框中。 This works fine. 这很好用。 However when the form is submitted, the preflight OPTIONS request is met with a 302, and I get the error "Response for preflight is invalid (redirect)" 但是,当提交表单时,预检OPTIONS请求遇到302,我收到错误“预检的响应无效(重定向)”
If I remove the ajaxPrefilter, the form post works, but the straight post request does not. 如果我删除ajaxPrefilter,表单发布工作,但直接发布请求不起作用。 With the Prefilter on, the straight post request works, but the form post does not. 启用Prefilter后,直接发布请求有效,但表单发布没有。 I'm pretty lost. 我很丢失。 The antiforgery header is allowed in Access-Control-Allow-Headers. Access-Control-Allow-Headers中允许使用防伪标头。 The requests for both are: 对两者的要求是:
OPTIONS http://localhost:64789/Example/Example/?_=1464356730712 HTTP/1.1
Host: localhost:64789
Connection: keep-alive
Access-Control-Request-Method: POST
Origin: http://localhost:64947
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Access-Control-Request-Headers: __requestverificationtoken, accept, content-type
Accept: */*
Referer: http://localhost:64947/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
This one returns 302. 这个返回302。
OPTIONS http://localhost:64789/Example2/Example2/ HTTP/1.1
Host: localhost:64789
Connection: keep-alive
Access-Control-Request-Method: POST
Origin: http://localhost:64947
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Access-Control-Request-Headers: __requestverificationtoken, accept, content-type
Accept: */*
Referer: http://localhost:64947/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
This one returns 200. 这个返回200。
Any help would be really useful. 任何帮助都非常有用。
2 个解决方案
解决方案1
0 2016-06-06 11:44:37
I think that you forgot to send content-type header for your form post. 我认为您忘记为您的表单发送内容类型标题。 Try adding some of content-types from this answer: https://stackoverflow.com/a/35452170/1727132 尝试从此答案中添加一些内容类型: https : //stackoverflow.com/a/35452170/1727132
解决方案2
0 已采纳 2016-06-07 13:13:02
通过将[HttpGet]属性添加到表单的get方法来解决此问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.